Akamai global network receives FedRAMP security approval

By Rutrell Yasin

Aug 29, 2013

Akamai has been granted provisional approval to offer cloud services under the Federal Risk and Authorization Management Program (FedRAMP) cloud security program, becoming the first provider of its kind to achieve the highest security level under the program, according to company officials.

Akamai provides a global shared cloud platform for the delivery of applications and Web content, said Tom Ruff, vice president of public sector with Akamai. The five other cloud providers that have received provisional approval to operate offer core services such as infrastructure, storage or solutions as a service.Those approvals were based on the providers building out a government unique cloud, Ruff said. “We received the FedRAMP stamp of approval for our highly distributed commercial network.” The Akamai Intelligent Platform has been deployed by the Defense Department and 14 of the 15 Cabinet-level agencies. As a result, Akamai needed governmentwide accreditation, Ruff told GCN.

FedRAMP is a U.S. governmentwide program that standardizes the approach to security assessment, authorization and continuous monitoring for cloud products and services. FedRAMP uses a “do once, use many times” framework that is expected to reduce the cost, time and staff required to conduct redundant agency security assessments of cloud solutions.

Akamai received the FedRAMP Joint Authorization Board’s provisional authorization — the most rigorous approval — which involves a thorough review by chief information officers of the General Services Administration, and Homeland Security and Defense departments.

Akamai offerings assessed in the FedRAMP certification and accreditation included: content delivery, secure content delivery, HD streaming, NetStorage, global traffic management and enhanced Domain Name System. In addition, many of Akamai’s internal management systems are included in the provisional authority to operate.

Global traffic management is important for load balancing between data centers for data continuity, Ruff noted. Akamai’s services also provide protection for one of the most popular attack vectors today – DNS servers, he said. If an agency's or business' DNS servers are taken down, the network is knocked out, he noted. Additionally, Akamai’s portal services give agencies the same type of visibility of end users, networks and devices within cloud platforms that the administrators are accustomed to within their data centers.

Agencies can use Akamai as a cloud service provider or as a front-end network to other FedRAMP cloud providers, which is how CGI Federal, a FedRAMP-approved cloud provider being used by the Homeland Security Department, Ruff said.

Validating a highly tailored and customized environment such as Akamai’s required a collaborative effort between Akamai, KCG, and the FedRAMP program office, said Matt Mitchell, a director with KCG’s consulting practice. Testing over 240 security controls at the provisional authorization level took a while, he said. Akamai and KCG worked with FedRAMP officials to help them understand how a highly distributed approach could meet and exceed FedRAMP requirements. FedRAMP officials were used to dealing with a more data center-centric approach, Ruff noted.

Akamai’s globally distributed network might raise questions about whether or not government data will reside within the United States, a requirement for federal agencies. Ruff noted that Akamai has supported high security requirements such as the International Traffic in Arms Regulations and rules stipulating that data resides within the United States prior to FedRAMP.

For example, the Air Force might use Akamai to keep certain content within the United States but at the same time allow service members overseas with DOD Common Access Card credentials to securely access the content, he noted.

With Akamai joining the FedRAMP ranks, nine cloud services providers are now compliant with FedRAMP requirements. Six cloud providers have been granted provisional authority, the highest security level under the program, including Akamai, AT&T, Autonomic Resources, CGI Federal, Hewlett-Packard and Lockheed Martin. Three other cloud providers have been granted agency Authority to Operate, including Amazon Web Services’ GovCloud and US East/West offerings, each receiving authorization by the Health and Human Services Department. The Agriculture Department’s National Information Technology Center has also been granted an authority to operate by the USDA Office of the CIO.